In September, a self-propagating worm called Sha1-Hulud came into action. A new version is now spreading and it is much much worse!

Link: https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains

The mechanics are basically the same, It infected NPM packages with stolen developer tokens. The malware uses preinstall script to run malware on a victim machine, scans for secrets, steals them and publishes them on GitHub in a public repository. It then uses stolen NPM tokens to infect more packages.

In September, it never made critical mass... But now it looks like it has.

So far, over 28,000 GitHub repositories have been made with the description "Sha1-Hulud: The Second Coming". These repos have the stolen secrets inside them encoded in Base64.

https://github.com/search?q=Sha1-Hulud%3A+The+Second+Coming&ref=opensearch&type=repositories

We first published about this after our discover at 09:25 CET but it has since got much worse. https://x.com/AikidoSecurity/status/1992872292745888025

At the start, the most significant compromise was Zapier (we still think this is the most likely first seed), but as the propagation started to pick up steam, we quickly saw other big names like PostMan and PostHog also fall.

Technical details of the attack

• The malicious packages execute code in the preinstall lifecycle script.
• Payload names include files like setup_bun.js and bun_environment.js.
• On infection, the malware:
  • Registers the machine as a “self-hosted runner” named “SHA1HULUD” and injects a GitHub Actions workflow (.github/workflows/discussion.yaml) to allow arbitrary commands via GitHub discussions.
  • Exfiltrates secrets via another workflow (formatter_123456789.yml) that uploads secrets as artifacts, then deletes traces (branch & workflow) to hide.
  • Targets cloud credentials across AWS, Azure, GCP: reads environment variables, metadata services, credentials files; tries privilege escalation (e.g., via Docker container breakout) and persistent access.

Impact & Affected Package

We are updating our blog as we go, at time of writing this its 425 packages covering 132 million weekly downloads total

Compromised Zaiper Packages

zapier/ai-actions zapier/ai-actions-react zapier/babel-preset-zapier zapier/browserslist-config-zapier zapier/eslint-plugin-zapier zapier/mcp-integration zapier/secret-scrubber zapier/spectral-api-ruleset zapier/stubtree zapier/zapier-sdk zapier-async-storage zapier-platform-cli zapier-platform-core zapier-platform-legacy-scripting-runner zapier-platform-schema zapier-scripts 

Compromised Postman Packages

postman/aether-icons postman/csv-parse postman/final-node-keytar postman/mcp-ui-client postman/node-keytar postman/pm-bin-linux-x64 postman/pm-bin-macos-arm64 postman/pm-bin-macos-x64 postman/pm-bin-windows-x64 postman/postman-collection-fork postman/postman-mcp-cli postman/postman-mcp-server postman/pretty-ms postman/secret-scanner-wasm postman/tunnel-agent postman/wdio-allure-reporter postman/wdio-junit-reporter 

Compromised Post Hog Packages

posthog/agent posthog/ai posthog/automatic-cohorts-plugin posthog/bitbucket-release-tracker posthog/cli posthog/clickhouse posthog/core posthog/currency-normalization-plugin posthog/customerio-plugin posthog/databricks-plugin posthog/drop-events-on-property-plugin posthog/event-sequence-timer-plugin posthog/filter-out-plugin posthog/first-time-event-tracker posthog/geoip-plugin posthog/github-release-tracking-plugin posthog/gitub-star-sync-plugin posthog/heartbeat-plugin posthog/hedgehog-mode posthog/icons posthog/ingestion-alert-plugin posthog/intercom-plugin posthog/kinesis-plugin posthog/laudspeaker-plugin posthog/lemon-ui posthog/maxmind-plugin posthog/migrator3000-plugin posthog/netdata-event-processing posthog/nextjs posthog/nextjs-config posthog/nuxt posthog/pagerduty-plugin posthog/piscina posthog/plugin-contrib posthog/plugin-server posthog/plugin-unduplicates posthog/postgres-plugin posthog/react-rrweb-player posthog/rrdom posthog/rrweb posthog/rrweb-player posthog/rrweb-record posthog/rrweb-replay posthog/rrweb-snapshot posthog/rrweb-utils posthog/sendgrid-plugin posthog/siphash posthog/snowflake-export-plugin posthog/taxonomy-plugin posthog/twilio-plugin posthog/twitter-followers-plugin posthog/url-normalizer-plugin posthog/variance-plugin posthog/web-dev-server posthog/wizard posthog/zendesk-plugin posthog-docusaurus posthog-js posthog-node posthog-plugin-hello-world posthog-react-native posthog-react-native-session-replay 

What to do if you’re impacted (or want to protect yourself)

Search Immediately remove/replace any compromised packages.

Clear npm cache (npm cache clean --force), delete node_modules, reinstall clean. (This will prevent reinfection)

Rotate all credentials: npm tokens, GitHub PATs, SSH keys, cloud credentials. Enforce MFA (ideally phishing-resistant) for developers + CI/CD accounts.

Audit GitHub & CI/CD pipelines: search for new repos with description “Sha1-Hulud: The Second Coming”, look for unauthorized workflows or commits, monitor for unexpected npm publishes.

Implement something like Safe-Chain to prevent malicious packages from getting installed https://github.com/AikidoSec/safe-chain

Links

Blog Post: https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains

First Social Posts

https://www.linkedin.com/posts/advocatemack_zapier-supply-chain-compromise-alert-in-activity-7398643172815421440-egmk